Skip to main content

One Host, Two Hosts, Red Host, Blue Host – Part 2

By July 6, 2016May 14th, 2021Cybersecurity

This is the second post in our multi-part Seusstastic series on the real threats that face home networks, where we can apply real-world enterprise grade protections to keep ourselves safe in the connected world.

First off – If you haven’t read part 1, I highly recommend you take 5 minutes and do so. In part 1, How The Grinch Stole… Your Information, I presented a simple construct: Cyber thieves are not only just outside your physical and digital homes, they are constantly testing and scanning for vulnerabilities. The argument is simple: Thieves will be thieves and you can’t just sit back idly and hope that you aren’t targeted or victimized. There are things you can do! Simply by making smart, informed decisions about what capabilities you choose to deploy on your home network you can drive the risk factor down considerably.

In part 2, One Host, Two Hosts, Red Host, Blue Host, I will explain why it is important to understand and maintain a concise listing of your network’s hosts, active services and ports. It is shocking how ignorant people and companies are when it comes to understanding the devices that they use on a daily basis and the information that is stored or accessed by them. This is a very real problem for networks of all sizes and a particularly pressing challenge for companies who hold other people’s personal information as part of doing business. Personally, how do you know that every entry to your network or computer is locked? Professionally, how do you lock the doors on a network of hundreds of computers?

You don’t know what you don’t know… So scan for it!

For the better part of a year I’ve met directly with clients and performed vulnerability assessments on their networks.  These almost always include a host vulnerability scan of connected devices. We usually use an autonomous network vulnerability test (NVT) scanner as part of this assessment. This scanner interrogates hosts again and again to check if they will fall victim to any known vulnerabilities (the database of which is constantly updated). We’ll revisit this concept of scanning hosts in a later post but I bring that up because before you can scan anything you need to enumerate or list each host and verify that it responds.

So what exactly is a host? In the simplest terms, a host is an object that exists on a network where it has it’s own address or way of identifying it and it provides some level of service via an application it runs.

Alpine has generated a checklist for our clients which lists the different types of hosts that they should include when they count all of their network-enabled devices. This list sometimes surprises them! Of course it includes the expected desktops and laptops. But it also gets down to the more obscure class of “Internet of Things” devices. This includes printers, Smart Boards, Smart TVs, HVAC devices, and many many others. Basically what we try to do is get our clients thinking broadly about any device, big or small, mission critical or disposable, obvious or obscure, that has an Internet Protocol (IP) address on their network. We want to know about each of these hosts because we can then have a conversation about how those hosts are configured, why they have them on their network, where they exist in the security stack, and who uses them. This typically spawns discussion about the risks associated with different devices and how a customer can safely use them. Again, revisit part 1 to understand the types of questions we ask about host security.

So after you generate a list of hosts (computers, appliances, phones, tablets, etc.) how to you verify that the list is complete? The good news is that there is an excellent free tool available called Nmap that can help you enumerate the hosts on your network and not only that but it will help you see what ports they have open! #score Google how to install Nmap on your computer if you don’t have it. When you get it installed run a command like:

sudo nmap -sS $(nmap -v -sn 192.168.1.1/24 | grep -v down | grep report | cut -d " " -f5)

 

This command basically takes the output of a Ping Scan (by Nmap) looking only at IP addresses within the 192.168.1.1 – 192.168.1.255 range and returns only IP addresses that are responsive and feeds them into a SYN Scan (by Nmap) and runs as a super user (sudo). The output this entire command produces should resemble the following:

Starting Nmap 7.12 ( https://nmap.org ) at 2016-07-05 12:10 EDT
Nmap scan report for 192.168.1.1
Host is up (0.0011s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1900/tcp open upnp
49152/tcp open unknown
49153/tcp open unknown
MAC Address: 00:11:22:33:44:55 (Netgear)

Nmap scan report for 192.168.1.3
Host is up (0.00033s latency).
Not shown: 991 closed ports
PORT STATE SERVICE
88/tcp open kerberos-sec
445/tcp open microsoft-ds
548/tcp open afp
5001/tcp open commplex-link
5900/tcp open vnc
7000/tcp open afs3-fileserver
7001/tcp open afs3-callback
7100/tcp open font-service
49152/tcp open unknown
MAC Address: AA:BB:CC:DD:EE:FF (Apple)

Nmap scan report for 192.168.1.4
Host is up (0.00045s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
88/tcp open kerberos-sec
3689/tcp open rendezvous
5900/tcp open vnc
MAC Address: 99:AA:88:BB:77:CC (Android)

Nmap scan report for 192.168.1.5
Host is up (0.0000020s latency).
All 1000 scanned ports on 192.168.1.5 are closed

 

You could read this output like this:

One Host, Two Host, Red Host, Blue Host...
This one is open to FTP, this one's accessible via http!
Say! That looks like a lot of open ports to me!

 

There is plenty of documentation for how to interpret the output from Nmap and how to use Nmap in different ways. But the thing to notice is that, for instance, on the 192.168.1.1 host (which is most likely the router where all of the devices on that network are connected) there are 8 ports that were detected as open. Of them are port 80 (used for hosting a website), port 21 (typically used for file transfers), port 23 (used for connecting via telnet to a host), etc… This just goes to show you how many doors and windows are left open – PER DEVICE!

Networks are becoming more and more complex and new devices that we previously would never have imagined to exist on a network are becoming mainstream. These devices, as well as the more traditional ones, should be carefully inspected periodically and tested frequently to ensure that they are not leaving your network vulnerable. As we’ve said before… it’s a dangerous world out there.

Take the time to download Nmap onto one of your computers at home and run it.  You may be surprised at what you find!

There is still more to come from this series. Next week we’ll show you how to determine what hosts are vulnerable to the ever evolving world of computer exploits. This is a critical piece of the risk assessment process because just knowing what it is you have and what ports are open isn’t enough. Sometimes having an open port is fine. The threat landscape is always shifting though and new methods for attacking hosts are being found. We’ll talk about what you can do to combat that by testing the security level of any open ports with a vulnerability scan.

Steven Pressman

Author Steven Pressman

Steve is responsible for the strategic direction of the company and its products. He serves as the chief solutions architect, coordinating architecture and DevOps efforts for cloud, hybrid, and on-premises infrastructures. Read his full bio here.

More posts by Steven Pressman